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TITLE OF THE INVENTION 

A Method for Grouping 802.11 Stations into Authorized Service Sets to Differentiate 
Network Access and Services 

BACKGROUND OF THE INVENTION 

The present invention relates generally to network access and more particularly to a 
method and system to differentiate network access for different classes of users. 

It is becoming increasingly important to differentiate network access for different 
classes of users, in particular different classes of wireless LAN users. One proposal for 
providing differentiated network access and services is that Access Points should 
implement a method wherein a Remote Authentication Dial-In User Server (RADIUS 
server) explicitly assigns an 802.11 station to a Virtual LAN identifier (VLAN ID) by 
returning a VLAN ID attribute in the RADIUS record for the station. Such RADIUS based 
VLAN assignment has limited scope and severely restricts mobility: A large or campus 
network may contain multiple VLANs that provide equivalent services. For example, a 
campus netwoik may contain multiple Voice VLANS. If a RADIUS server explicitly 
assigns an 802.11 Voice over IP (VoIP) phone to a voice VLAN, then the phone is limited 
to a single voice VLAN, for example die phone may be limited to a VLAN on a single 
floor in a single buOding. The only method for segregating users is "VLAN trunking"; 
therefore, the proposal is generally limited to network areas with a VLAN infrastructure. 
Thus there exists a need for a method aid system wherein multiple parameters can be 
grouped into a Service Set, which is controlled by a single RADIUS attribute that is not 
limited to a VLAN ID assignment 

For die purposes of describing die present invention, an "authorized WSTA" is any 
station dot is explicitly authorized to access die network via a security server, and a "guest 
WSTA" is not explicitly authorized to access the network. A RADIUS server is used as an 
example security server in describing die present invention, but as those skilled in the art 
can readily appreciate the concepts of die present invention apply with any security server. 

ft should be noted that a "Service Set" as defined herein is not the same as an 
80Z11 Extended Service Set (ESS). 

Additional objects, advantages and novel features of the invention will beset forth 



WO 2004/011986 



PCT/DS2003/022982 



in part in the description which follows, and in part will become apparent to those skilled 
in the art upon examination of the following or may be learned by practice of the invention* 
The objects and advantages of die invention may be realized and attained by means of 
instrumentalities and combinations particularly pointed out in die appended claims. 

5 

BRIEF SUMMARY OF THE INVENTION 

In view of the aforementioned needs, the invention contemplates a method for an 
access point to associate a wireless station to either a home subnet or a VLAN based on a 
configuration stored locally at the access point When a wireless station desires to 

10 associate with an access point* the wireless station sends a message to the access point, the 
message containing a service set identifier (SSID), which is an arbitrary "name" for a 
service set The access point then associates the wireless station to either a home subnet or 
a VLAN based on the SSID. 

The method may also farther comprise creating one or more service sets at the 

is access point wherein each service set has a unique SSID. The access point upon receiving 
a message from a wireless station then matches the SSID of the message with a service set 
stated locaDy at the access point. After the access point confirms that it has a match for the 
SSID, the access point may then verify that die connection by the wireless station is 
authorized and that the station is authorized to use the SSID. This would typically be 

20 accomplished by using a security server such as a RADIUS server. 

If the wireless station is currently brand to a remote home subnet, the access point 
enables communication between the wireless station and home subnet by tunneling to the 
home subnet Alternatively, the access point may bind the wireless station to a home 
subnet that is local to the access point 

25 In an alternative embodiment, it is contemplated that the access point may send a 

list of subnets and/or VLAN*s available for the SSID. The wireless station then selects a 
subnet or VLAN. 

In another embodiment, the present invention contemplates a computer-readable 
medium instructions for an access point to associate a wireless station. The computer- 
30 readable nw*fo™ comprising means for creating a service set at the access point, die 
compete - readable medium farther e nmp ri an g means fox receiving a message from a 
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wireless station, die message containing an SSID. The computer-readable medium also 
comprising means for verifying die access point has a matching service set for the S SID . 
The computaHreadable medium further comprises means for authenticating a wireless 
station by accessing a security server that is communicatively coupled to the access point 

5 Hie computer-readable medium having means for associating the wireless station to either 
a VLAN or a home subnet based on the SSID. In an alternative embodiment, the security 
server returns a list of one or more SSIDs for which the station is authorized. The station is 
prevented from die network if its SSID does not match one of the SSIDs in die 

list returned by the security server. 

)o The present invention further contemplate s an access point, comprising means for 

assigning one of the group selected from a VLAN and a subnet to a service set; means 
suitably adapted for receiving a message from a wifeless station, the message further . 
comprising a SSID; means suitably adapted to match the SSID to the service set; means 
suitably adapted for authenticating a wireless station by accessing a security server, means 

is for associating the wireless station to oik of the group consisting of a borne subnet or 
VLAN based en the SSID, wherein the service set home subnet or VLAN parameter is 
configured locally at die access point 

Hie access point may also further comprise means for binding the wireless station 
to the home subnet, means for tunneling to the home subnet In the alternative, the access 

20 point may have means for binding the wireless statj on to a local subnet: 

In yet another embod im ent, the present invention contemplates an access point, 
comprising means for creating a service set at the access point; means for accessing die 
access point by sending a message from the wireless station to the access point, the 
message comprising a SSID; means for verifying the access point has a matching service 

25 set for die SSID; means for authenticating the wireless station by the access point accessing 
a security server that is c ommuni catively coupled to the access point; means for providing 
die wireless station with a list of subnets available for the SSID; and wherein the service 
set is configured locally at the access point 

The present invention also contemplates an 802.1 1 network, comprising a first 

30 basic service set comprising a first access point, and a second basic service sets, comprising 
a second access point. The first access point comprises means for creating a service set at 
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the first access point; means for receiving a message from the wireless station to the first 
access point, the message comprising a SSID; means verifying the first access point has a 
matching service set for the SSID; and means for associating the wireless station to a first 
home subnet based on the SSID. The second access point comprises means for creating a 

5 service set at the second access point; means for receiving a message from the wireless 
station to the second access point, die message comprising the SSID used in the message to 
the first access point; means verifying the second access point has a matching service set 
for die SSID; and means for asspcfafipg die wireless station to a second home subnet based 
on the SSID, wherein die first home subnet is different than the second home subnet. 

10 In another embodiment, die present invention contemplates an 802. 1 1 network, 

comprising a first basic service set comprising a first access point, and a second basic 
service sets, comprising a second access point The first access point comprises means for 
creating a service set at the fiist access point; means for receiving a message from the 
wireless station to the first access point, the message comprising a SSID; means verifying 

is the first access point has a matching service set fin* the SSID; and means for associating the 
wireless station to a first VLAN based on the SSID. The second access point comprises 
means for creating a service set at the second access point; means for receiving a message 
from the wireless station to the second access point, the SSID used in the message to the 
first access point; means verifying the second access point has a matching service set for 

ao die SSID; and means fin- associating die wireless station to a second VLAN based on the 
SSID, wherein the fiist VLAN is different than the second VLAN. 

Among those benefits and improvements that have been disclosed, other objects 
and advantages of this invention will become apparent from the following description 
taken in conjunction with the accompanying drawings. The drawings constitute a part of 

25 tins specification and include exemplary embodiments of the present invention and 
illustrate various objects and features thereof. 

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING 

The drawings illustrate the best mode presently contemplated of carrying out the * 
30 invention. 

This the drawings 
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FIG 1 is a block diagram illustrating the relationship between an AP, SSID and 
VLAN or Proxy Mobile IP Host as contemplated by die present invention; 

FIG 2 is a block diagram illustrating a wireless station moving from one basic 
service set controlled by a first access point set to a second basic service set controlled by a 
s second access point; 

FIG 3 is a block diagram illustrating the communications between a wireless 
station, access point, and a security server when a wireless station attempts to gain entry to 
a network; 

FIG 4 is a block diagram illustrating die steps for configuring an access point for 
io use with the present invention; 

FIG 5 is a Mock diagram showing die steps for a wireless station to associate with 
an access point*. 



15 DETAILED DESCRIPTION OF INVENTION 

The present invention contemplates a method where wireless stations (WSTAs) are 
partitioned into "Service Sets/* A Service Set Identifier (SSID) identifies each service set. 
The SSH) can be a standard 802J1 SSID. 

A Service Set is an arbitrary grouping of one or more network service parameters. 

20 Service parameters may be used to differentiate network access for security purposes. For 
example, "guest" WSTAs that are restricted to secure "guest" subnets may be grouped into 
a "GUEST" Service Set Service parameters may also be used to differentiate network 
services that aie not necessarily related to security. For example, employee WSTAs that 
require a "Proxy Mobile IP" service for seamless campus mobility may be grouped into a 

23 MOBILE-EMPLOYEE" Service Set- 
Service Set authorization is accomplished in one of two ways. WhDe the following 
examples use a RADIUS server, as those skilled in the art can readily appreciate, the 
authorization may be accomplished with any security server. Fust a RADIUS server can 
explicitly authorize a WSTA to join one or more Service Sets. In the first case, the 

30 RADIUS server returns a list of allowed SSID's in the RADIUS record for the WSTA. For 
backward compcrtibilify with legacy 802,11 systems the absence of the SSID list can be 
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interpreted asa list of aD SSJDs. Second, a RADIUS server can explicitly assign a WSTA 
to a Service Set. In that case, the RADIUS server returns an "assigned SSID" in the 
RADIUS record for the WSTA, Note that the first method enables the WSTA to change its 
active Service Set without requiring configuration changes to the RADIUS database. 
5 A standard 802-11 WSTA sends an association message, which contains an 802.1 1 

SSID, each time it associates with a parent AP. A WSTA is only associated if it 
successfully passes any authentication criteria that is defined for its SSID, and the WSTA 
is authorized to join Ate Service Set identified by its SSID or is explicitly assigned to a 
different SSID by the RADIUS server. 
io Unauthextficated "gpest WSTAs" are assigned to a default guest Service Set, which 

may permit restricted access to the network. 

Service set parameter values that determine a WSTA's home subnet are configured 
locally in wireless access points (APs) so that parameter values have local significance. 
For example, a camptisn^^ A "VOICE" 

15 SSID can be bound to VLAN 10 in building 1 and VLAN 20 in building 2. A WSTA 
configured with die "VOiCE" SSID can access any voice VLAN. 

APs ^ifim " ^ anient Service Set parameter values from SSID configuration 
values and WSTA 'context* information. For example, a WSTA may belong to a Service 
Set named "MOBILE" that has "seamless inter-subnet mobility" enabled. A "home 
20 subnet* may be configured for the "MOBILE" SSID in each AP. Initially, a "MOBILE" 
WSTA is bound to the home subnet configured for "MOBILE" in its parent AP. 
Thereafter, as the WSTA roams> it is seamlessly bound to its original home subnet, 
reganfless of the "home subnet" configured for "MOBILE" in any new parent AP. A 
context transfer protocol is used to transfer die WSTA's home subnet context to a new 
25 parent AP. 

The home subnet bindings for a "MOBILE" WSTA can be aged and discarded 
after the WSTA becomes inactive for some period of time so that the WSTA can be bound 
to a different, more optimal* home subnet when it becomes active again. 

A WSTA's home subnet can be automatically derived by "snooping" die source IP 
30 address in IP packets transmitted by the WSTA rather than using an access point service set 
parameter value to bind the WSTA to a home subnet, hi that case, an SSID/bome-subnet 
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database is used to determine if the WSTA is authorized to access the home subnet that 
corresponds to its IP address. The SSID/home-subnet database contains a list of "allowed" 
subnets for each SSID. Hie database can be statically configured Alternatively, APs can 
automatically detemrine the subnet address for each subnet that is accessible via one of its 

s configured SSIDSw Note that tbesubnet address for an SSID may not be thesamein 
different APs. The list of allowed subnets for each SSID is the aggregate of the local 
SSID/subnet bindings in all APs. (This method is necessary to support WSTA's with a 
pennanet IP address. It is also necessary to re-establish home subnet bindings that have 
been aged and discarded) 

jo By using the Service Set method as described herein, a WSTA can be assigned to a 

specific VLAN ID. However this method is not limited to VLAN ID assignment Instead, 
multiple parameters can be grouped into a single Service Set, which may be controlled by a 
single RADIUS « other security server attribute. Because the Serve Set parameters are 
instantiated loc&Dy in parent AP*s, the Service Set parameters can be set to values that are 

is optimal for the local ne fc wqk topology and current WSTA context. • For example, either 
VLAN tranking or Proxy Mobile IP tunneling can be used, as is locally appropriate, to 
restrict goes* WSTAs to a secure gpest subnet 

Another feature thai may be incorporated with the present invention is that a WSTA 
can change its Service Set without requiring changes to its RADIUS configuration. For 

20 example, a WSTA can inhibit seamless mobility, for example when it is running a non-IP 
application thai prohibits infix-subnet mobility, by changing its active SSID to one that 
does not have Proxy Mobile IP enabled. 

The method of die present invention may be implemented by using the standard 
802.11 SSID, therefore* no changes are required to existing to WSTAs to obtain the 

25 benefits of the present invention. 

Referring now to Figure 1, there is shown an AP 102. The AP 102 as shown has 
for SSID numbers* 104, 106, 108* 1 10. Each SSID number 104, 106, 108, 1 10 has a 
corresponding parameter 112, 114, 116, 118 assigned to it For example, the AP 102 will 
associate VLAN 1 112 with SSID 1 104VLAN2114 withSSE>2 K^ProxMobOelP 

30 Home Agent 1116 with SSID3 108, and Proxy Mobile IP Home Agent 2118 with SSHM 
110. 
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Figure 2 stows an Extended Service Set (ESS) 200. The ESS comprises two basic 
service sets (BSS) 204 and 206. AP 102 controls BSS 204 and AP 202 controls BSS 206. 
AWSTA208isdiownthaltravelsapatb212&omBSS204toBSS206^ As 
contemplated by the present invention, when WSTA 208 associates with each AP 102 and 

s 202,it seiidsanSSn)(notshown)tDtheAP 102 or 202. Because each AP is individually 
configured, when WSTA is associated with AP 202 it may be bound to a different VLAN 
or Proxy Mobile IP Home Agent than it was when it was associated with AP 102. 

Referring now to Figure 3 there is shown a WSTA 302 attempting to gain access to 
AP102. A message is sent from WSTA 302 to the AP 102. The AP 102 then attempts to 

to ainfrf"Hrate the WSTA 302 by sending authentication message 306 comprising the WSTA 
302 and the WSTA*sSSE>tD security server 304. If die security server 304 authenticates 
WSTA 302, it then sends a message 308 containing parameters for the WSTA 302 to the 
AP102. 

Figure 4 shows an exemplar of a method that can be used for configuring an AP for 
is use with the present invention- The process begins by defining a configuration at step 402. 
At step 404 the mrtherttirattop criteria is defined. At step 406 the Service Sets and 
Identifies are defined. Then as shown at step 408, for each ID which may be done either at 
the same time the for Service Set are defined or separately, the parameters for each SSID 
are defined As shown in step 410 Proxy Mobile IP is either configured or disabled for 
20 each SSID. As shown in step 412, if Proxy Mobile IP is enabled, then the default home 
subnet is configured as shown at step 414. If Proxy Mobile IP is disabled, then the default 
VLAN ID is configured as shown at 416. If there are more Service Sets to configure, then 
as shown in step 418 processing returns to step 410, otherwise, as shown in step 420 the 
process is completed. 

2s In Figure 5 there is shown a procedure 500 contemplated by the present invention 

for a WSTA 208 to associate with an AP 102. Beginning at step 502, the WSTA 208 
accesses the AP 102 by sending a message to the AP 102, the message including a SSID 
(SSID). As shown in step 504, the AP 102 checks to ascertain if it has a matching SSID. 
If the AP 102 does not lave a matching SSID, then as shown in step 506 the AP 102 does 

30 not allow the e on nec tiaa 

If the AP 102 does have a matching SSID, Chen the AP determines at step 508 if the 
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association is allowed for the WSTA 208. This can be done by accessing a security server, 
such as a RADIUS server. For example, when the RADIUS server is accessed, the 
RADIUS server returns a list of allowed SSIDs, The association for the WSTA is only 
allowed if the WSTA's SSID is in the list This prevents unauthorized access to a service 

5 set that is supported in the AP. If the association is not allowed, then at step 510 the AP 
does not allow the connection. 

If the AP 102 does have a matching SSID and the WSTA 208 is allowed to 
associate, then the AP 102 determines whether to associate the WSTA 208 by Subnet or 
VLAN. If the association is by subnet, then the AP 102 binds the WSTA 208 to the home 

io subnet514. At step 516 die AP 102 determines if it can tunnel to the home subnet, if it can 
than the process is completed as shown in step 518, 

If the AP 102 can not tunnel to die home subnet at step 516, then the AP 102 can 
bind the WSTA 208 to a local subnet as shown in step 520. Then as shown in step 518, the 
process is completed. 

is If at step 512 it is determined that the WSTA 208 is to be bound to a VLAN, then 

the procedure gpes to step 522 wherein die WSTA 208 is bound to a VLAN. Then the 
procedure is completed as shown in step 518* 

While in die description of die process of Figure 5 the process terminates after 
associating die WSTA 208 to either a subnet or VLAN, as those skilled in the art can 

20 readily appreciate, other parameters may be configured at this point in time. As the 

WSTA 208 associates with another AP 202, the process is repeated. Because each AP 102, 
202 has its own separate bindings for the Service Sets, when a WSTA 208 moves from one 
AP 102, to another AP 202, the VLAN or subnet that the WSTA 208 is bound to may 
change. 

25 Although the invention has been shown and described with respect to a certain 

preferred embodiment, it is obvious that equivalent alterations and modifications will occur 
to others ddSted in die art upon the reading and understanding of this specification. The 
present invention includes aD such equivalent alterations and modifications and is limited 
only by the scope of the following claims. 
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CLAIM(S) 

What is claimed is: 

1 . A method far an access point to associate a wireless station, the steps 
co dpri su^ p 

receiving a message from a wireless station, the message comprising a service set 
identifier; and 

associating die wireless station to a service set v where a service set defines a set of 
network access parameter values and 

wherein a service set parameter value is configured locally at the access point 

2. The method of daim 1 further comprising grouping wireless stations into 
service sets, with each service set having a unique service set identifier. 

3. The method of daim 1 further comprising configuring a list of service set 
identifiers at the access point, wherein a (Efferent set of service set parameter values is 
associated with each of the access point's service set identifiers. 

4. The method of daim 1 further comprising verifying the access point has a 
matching service set fa the service set identifier sent by the wireless station. 

5. The method of daim 3 wherein the service set identifier is an 802.1 1 service 
set identifier. 

6. The method of daim 1 further comprising authenticating die wireless station 
by die access point accessing a security server communicatively coupled to the access 
point 

7. The method of claim 6 wherein the security server is a Remote 
Authentication Dial- In User Server. 

8c The m e th od of daim 7 further comprising authenticating that the wireless 
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station is authorized to use the service set identifier configured on the wireless station. 

9. The method of claim 8 further comprising authenticating that the wireless 
station is authorized to use its service set identifier via an allowed service set identifier list 
contained in the RADIUS record for the wireless station. 

10. The method of claim 1 further comprising binding the wireless station to a 
home subnet, based on a service set parameter value that identifies the home subnet 

1 1. The method of daim 10 farther comprising tunneling the station to the 
home subnet 

12. The method of claim 11 further comprising a tunneling method where a 
proxy mobile IP entity in the network infr astr u cture establishes a Mobile IP tunnel to the 
home subnet for a Mobile IP unaware wireless station. 

13. The method of daim 1 further comprising a method where a service set 
parameter is used to determine whether a wireless station requires proxy Mobile IP 
tunneling services. 

14. The method of daim 13 further comprising a method wherein the home 
subnet for a wireless station is automatically determined by examining the source IP 
address in IP packets transmitted by the wireless station. 

15. The method of claim 13 further comprising a method for verifying that the 
wireless station is authorized to access the home subnet wherein at least one access point 
is configured with an service set identifier and corresponding server set parameter value 
that identifies the home subnet 

16. The method of daim 1 further comprising binding the wireless station to an 
Ethernet VLAN, based on a service set parameter that is configured with a VLAN 
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Identifier. 

17. The method of claim 16 further comprising bridging the station to the; 
VLAN on a wired or wireless VLAN trank link attached to the access point, where all 
frames transmitted on the VLAN trank link contain an explicit or implicit VLAN Identifier. 

18. A method for an 802.1 1 access point to associate an 802. 1 1 wireless station, 
the steps comprising: 

creating a service set at the access point; 

receiving a message from the wireless station by the access point, the message 
compris in g an 802.11 SSID; 

verifying die access point has a matching service set for the 802. 1 1 service set 
identifier; 

a uth e nticatin g the wireless station by the access point accessing a security server 
communicatively coupled to the access point; and 

associating the wireless station to one of the group consisting of a home subnet and 
a VLAN based on die service set identifier, 

wherein the service set parameter values is configured locally at the access point 

19 The method of claim 18 further comprising, binding the wireless station to 
the home subnet. 

20. The method of claim 18 further comprising a method where the wireless station 
is bound to the same home subnet, even when it roams to an AP with a different VLAN ID 
or heme subnet identifier configured for the service set identifier. 

21. The method of claim 20 further comprising discarding die home subnet 
bindings far the wireless station after some period of inactivity so that the station can be 
bound to a diffanet subnet when it agpin becomes active. 

22. The method of claim 20 further comprising a method selected from one of the 
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group consisting of wherein V1AN trunking is used to access the home subnet on access 
points that have a VLAN trunk link to the home subnet, and a Proxy Mobile IP tunnel is 
used to access the home subnet 

23. The method of daim 18 farther comprising tunneling to the home subnet. 

24. The method of daim 18 further comprising binding the wireless station to a 
local subnet 

25. A method far an 802.11 wireless station to associate with an 802.11 access 
point the steps comprising: 

creating a service set at the access point; 

receiving a message from the wireless station by the access point, the message 
comprising a 802L11 service set identifier, 

verifying die access point has a matching service set for the service set identifier; 

authenticating die wireless station by die access point accessing a security server, 

providing the access point with a list of service set identifiers that are permitted for 
roe wireless SJatkm; and 

wherein the service set is configured locally at the access point 

26. A computer-readable medium of instructions for an 802.11 access point to 
associate an 802.11 wireless station, the steps comprising: 

means for creating a service set at the access point; 

means for access point to receive a message from the wireless station, the message 
comprising an 802.11 service set identifier; 

means for verifying the access point has a matching service set for the 802.11 
service set identifier, 

means for authenticating die wireless station by the access point accessing a 
security server communicatively coupled to the access point; 

means for associating the wireless station to one of the group consisting of a home 
subnet and a VLAN based on the service set identifier; 
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wherein the service set is configured locally at the access point 

27. The computer-readable medium of instructions as in claim 26 further 
means for binding the wireless station to the home subnet 

5 

28. The computer-readable medium of instructions as in claim 26 further 
comprising means for tunneling to the home subnet* 

29. The computer-readable medium of instructions as in claim 26 further 
to comprising means fear binding the wireless station to a local subnet 

30. A computer-readable medium of instructions for an 802. 1 1 wireless station 
to associate with an 802J1 access point, the steps comprising: 

means far creating a service set at the access point; 
is means for the access point to receive a message from the wireless station, the 

message comprising a service set identifier; 

means far verifying the access point has a matching service set for the service set 
identifier; 

means far aiTthraitrcatuig the wireless station by the access point accessing a 
20 security server; 

means fa providing the wireless station with a list of subnets available for the 
service set identifier; 

wherein the service set is configured locally at the access point 

25 31. A computer-readable medium having stored thereon instructions which 

when executed by a processor, cause the processor to perform the steps comprising of: 
creating a service set at the access point; 

receiving a message from the wireless station, the message comprising an 802.11 
service set identifier; 

30 verifying die access point has a matching service set for the 802,11 service set 

identifier; 
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authenticating the wireless station by the access point accessing a security server 
that is communicatively coupled to die access point; 

associating die wireless station to one of the group consisting of a home subnet and 
a VLAN based on the service set identifier, and 

wherein the service set is configured locally at the access point 

32. The computer-readable medium as in claim 31 further comprising, 
instructions far binding die wireless station to the home subnet 

33. The computer-readable medium as in claim 31 further comprising 
Detractions for tunneling to die home subnet 

34. The computer-readable medium of instructions as in claim 31 further 
wrrisme instructions for binding the wireless station to a local subnet 

35. A computer-readable having stored thereon instructions which 
when executed by a processor, cause the processor to perform the steps comprising of: 

creating a service set at die access point; 

receiving a message from the wireless station to the access point, the message 
comprising a service set identifier; 

verifying the access point las a matching service set for the service set identifier, 

authenticating die wireless station by the access point accessing a security server 
that is communicatively coupled to die service point; and 

providing the access point with a list of service set identifiers that are permitted for 
the wireless station ; and 

wherein the service set is configured locally at the access point 

36. An access point comprising 

means for assigning one of the group selected from a VLAN and a subnet to a 
service set; 

means suitably adapted far receiving a message from a wireless station, the message 
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further c om pi isi ng a service set identifier; 

means suitably adapted to match the service set identifier to the service set; 
means suitably adapted for authenticating a wireless station by accessing a security 

server, 

means for associating the wireless station to one of the group consisting of a home 
subnet and a VLAN based an the service set identifier, 

wherein the service set is configured locally at the access point 

37. The access point as in daim 36 further comprising, means for binding the 
wireless station to the home subnet. 

38. The access point as in daim 37 further comprising means for tunneling to 
ibfr h ^y**^ subnet* 

39 The access point as in daim 36 further comprising means for binding the 
wireless station to a local subnet 

40. The access point as in daim 36 wherein the access point is an 802.11 access 

point 

41. An access point, comprising 

means for orating a service set at the access point; 

means for accessing the access point by sending a message from the wireless station 
to the access point, die message comprising a service set identifier; 

means verifying the access point has a matching service set for the service set 
identifier; 

means for authenticating die wireless station by die access point accessing a 
security server that is c ommunic atively coupled to die access point; 

means for providing the access point with a list of service set identifiers that are 
permitted for the wireless station ; and 

wherein the service set is ajofigmtrf locally at the access point 
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42. The access point as in claim 41 wherein the access point is an 802.11 access 

point 

43. An 802.11 network, comprising: 

a firct basic service set comprising a first access point, and a second basic service 
sets, comprising a second access point; 

wherein the first access point comprises 

means for creating a service set at the first access point; 

means far receiving a message from the wireless station to the first access 
point, the message comprising a service set identifier, 

means verifying die first access point has a matching service set for the 
service set identifier; 

means far associating the wireless station to a first home subnet based on 
the service set identifier; and 
wherein the second access point comprises 

means for creating a service set at the second access point; 

means far receiving a message from the wireless station to the second access 
point, the message comprising the service set identifier used in the message to the 
first access pointy 

means verifying the second access point has a matching service set for the 
service set identifier 

means for associating the wireless station to a second home subnet based on 
the service set identifier; 
wherein the first home subnet is different than the second home subnet 

44. An 802L1 1 network, comprising: 

a first basic service set comprising a first access point, and a second basic service 
sets, comprising a second access point; 

wherein the first access point comprises 

means for creating a service set at the first access point; 
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for receiving a message from the wild ess station to the first access 
point, the message comprising a service set identifier, 

means verifying the first access point has a matching service set for the 
service set identifier; 

s means for associating the wireless station to a first VLAN based on the 

service set identifier; and 
wherein the second access point comprises 

means for creating a service set at die second access point; 
means for receiving a message from the wireless station to the second access 
)o point, the service set identifier used in the message to the fira access point; 

means verifying the second access point has a matching service set for the 
service set identifier; 

means for associating the wireless station to a second VLAN based on the 
service set identifier; 
is wherein the first VLAN is different than the second V1AN. 

45. A method wherein Wireless stations (WSTAs) are partitioned into Service 
Sets> each Service Set comprising a Service Set Identifier and a network access parameter 
value, comprising the steps of: 
20 configuring an AP with a list of at least one service set identifier that identifies the 

service set the AP wiD accept; 

sending a message from the WSTA to its parent AP, the message comprising an 
active service set identifier for the WSTA, wherein the service set identifier is selected 
from die group consisting explicitly identifying a service set, and a wildcard so that the 
25 WSTA's service set is selected by a network infrastructure; 

verifying by the parent AP that the parent APhas an service set identifier that 
matches the service set identifier sent by the WSTA; and 1 

authorizing the WSTA to use its service set identifier by a security server and a 
security protocol; 

30 wherein service set parameters thai determine the WSTA's at least cme of die group 

consisting of VLAN and home sublet may be configured with different values for the same 
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service set identifier in a different AP. 

46. The method of claim 45 wherein the security server is a RADIUS server and 
the security protocol is RADIUS. 

47. The method in claim 46 further comprising a method wherein a list of 
allowed service set identifiers for a WSTA is sent from the RADIUS server to die parent 
AP in a RADIUS protocol message. 

4& The method in daim 46 farther comprising a method where a RADIUS 
server explicitly assigns a WSTA to a service service by including an service set identifier 
in a RADIUS protocol message sent to the parent AP. 

49. The method mctoim 45 wherein a service set parameter that diamines 
the WSTA's home subnet contains at least one of a VLAN Identifier and an IP subnet 
address. 

50. The method in daim 49 further comprising a method where a WSTA is 
initially bound to a home subnet based cm the service set parameter value in its parent AP, 
but the service set parameter is not used to bind the WSTA to a different home subnet as 
the WSTA roams to APs with a different service set parameter value, so that the WSTA is 
bound to a single home subnet as i roams. 

51. The method in daim 50 where either VLAN tracking or IP tunneling is 
dynamically sdected to bind a station to a single home subnet as it roams, so that the most 
optimal available access method is used to forward packets between the WSTA and its 
home subnet 

52. The method in daim 50 Anther comprising discarding home subnet 
bindings far a WSTA after the WSTA has become inactive for some period of time, so that 
the WSTA can bind to a different (Le. more optimal) subnet when it again becomes active. 
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53. The method in daim 49 further comprising a method where a WSTA is 
bound to a different home subnet when it roams to an AP with a different service set 
parameter value, so that the WSTA is bound to the "optimal" home subnet 

54. The method in claim 45 where a WSTA uses a *\vildcard" service set 
identifier to match a different service set identifier in the parent AP. 

55. The method in claim 45 where the service set parameter that determines 
the WSTA's home subnet contains a Mobile IP home agent address. 

56. The method in daim 45 further comprising a method wherein a service 
set parameter is used to determine whether a WSTA should be bound to a single home 
subnet as it roams in a network with multiple subnets. 

57. The method in daim 56 wherein a service set parameter is used to 
determine whether Proxy Mobile IP and Mobile IP tunneling is used to bind a station to a 
siflgjte home subnet. 

58. The method in daim 56 wherein the home subnet for a WSTA is 
determined by eramining the IP address in IP packets transmitted by the WSTA . 

59. The method in daim 58 further comprising a method wherein a station 
is not bound to a home subnet unless it is authorized to access that home subnet 

60. The method in daim 59 wherein a WSTA is authorized to access a 
home subnet only when there is at least one AP that has a parameter value for the services 
set identified by the WSTAs service set identifier that contains at least one of a VLAN ID 
and subnet address that identifies the home subnet 

61. The method in claim 60 where a central database is used to authorize a 
WSTA to access a home subnet, wherein the central database contains a list of service set 
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identifies and, for each sendee set identifier, a list of allowed subnets. 

62. The method in daim 61 where the list of subnets for each service set 
identifier is statically configured or automatically populated with the local service set 
identifier wd subnet bindings for each AR 

63. The method in daim 45 wherein an unauthenticated WSTA is assigned 
to a guest service set and where service set parameter values, configured for the guest 
service set at least 1 APs> are used to restrict the WSTA to at least one guest subnets. 

64. The method in daim 45 wherein a WSTA is authorized to use more than 
one service set identifier so that tie WSTA can change its service set without requiring 
arafigunaion changes in the security server. 

65. The method in claim 45 wherein the service set identifier is an 802. 1 1 
service set frfr****"** and a wildcard service set identifier is an 802. 1 1 broadcast service set 
identifier. 
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